ThreatChase

Objectives

The vision of the ThreatChase project is to improve cybersecurity capabilities and raise the level of cyber security across the EU with a platform providing protection against phishing. We consider that uptake of cybersecurity solutions greatly depends on the data about malicious activities, its accurate analysis, and on providing an open platform for cybersecurity solution adopters. The proposed innovative platform will contribute to improved cybersecurity preparedness by offering two services: i) the service of structured data on malicious URLs and domain names used in phishing and ii) the service for phishing mitigation and notification of credentials (email addresses and passwords) stolen for instance as a result of phishing that have appeared in data leaks.

The objective of the project is to identify URLs (and collect comprehensive metadata) used in phishing attacks across all accessible open sources on the Internet through both passive and active scanning methods. The ThreatChase phishing service will be available to all interested parties in the form of a blacklist and made available through the MISP server for storing, distributing, and sharing phishing threat indicators. The proposed service can play a crucial role in contributing to market uptake and dissemination of innovative cybersecurity solutions. In fact, any cybersecurity solution depends on vulnerability and abuse data to provide protection services and their effectiveness relies to a large extent on the freshness and accuracy of this kind of information. The ThreatChase service will provide organizations with valuable information about known and newly identified malicious URLs and domains, allowing them to identify and corelate security threats and take proactive measures to protect their networks and systems by blocking spam emails, phishing websites and resolutions of malicious domain names.

In addition to the proactive measures for fighting phishing, the platform will provide a service for companies and victims of phishing attacks that notifies companies and Internet users about their credentials (email addresses and password) appeared in leaked databases along with enabling a risk assessment of whether a password change is needed. Many organizations already experienced the situation in which, as soon as new leaked datasets with credentials have been published in the Internet, new cyber attacks started on the companies' web portals. One of the reasons of the attacks is that it is not a common practice among Internet users of having different passwords for different web applications they use. Because of that, cyber-criminals try to check leaked credentials, heavily expecting benefits from taking over user accounts for various Internet services (telco, financial, social media, etc).

Project Impact

The ThreatChase project will contribute in several ways to support the adoption of innovative cybersecurity solutions, provide tools and services to organisations, and improve the security of ICT solutions.

Support the adoption of market-ready innovative cybersecurity solutions: By developing the platform for protection against phishing, the project will support the development and deployment of an innovative cybersecurity solution for protection against phishing.
Provide and deploy up-to-date tools and services to organizations: The funding will provide the resources necessary to develop and deploy up-to-date tools and services to organizations, particularly SMEs. These tools and services will help organizations prepare, protect, and respond to cybersecurity threats. This will improve their ability to manage and mitigate cybersecurity risks and protect their critical assets.
Improve the security of ICT solutions: The funding will provide the necessary resources to support the development of more secure ICT solutions, including open source. This will help to ensure that organizations are better equipped to protect their critical assets against cyber threats. Additionally, the funding will support the development of security protocols and best practices that will improve the overall security of ICT solutions.

The use of an open data platform will significantly contribute to the market uptake and dissemination of innovative cybersecurity solutions along the following lines:

Increased visibility and accessibility: An open data platform will increase the visibility and accessibility of innovative cybersecurity solutions, which makes it easier for organizations to find and adopt these solutions, leading to greater market uptake. The open platform will also provide a centralized repository of information on the cybersecurity solutions available, making it easier for organizations to compare and evaluate the solutions. The repository will include the information about the proposed solutions, the seller or the providing organization, the solution description, the link to the solution. The description of cybersecurity solutions will be available on the Orange CERT web portal.
Improved collaboration and sharing: The open data platform will promote collaboration and sharing between organizations and stakeholders in the cybersecurity community, which will foster an environment of knowledge-sharing, where organizations can learn from each other and share best practices. It will contribute to the dissemination of innovative cybersecurity solutions and help to ensure that organizations are better equipped to manage and mitigate cybersecurity risks.
Increased trust and confidence: An open data platform provides transparency and accountability, which increases trust and confidence in the cybersecurity solutions. This helps to overcome the barriers to adoption and encourages organizations to adopt innovative cybersecurity solutions.
Enhanced innovation: The open data platform provides a place for the exchange of ideas and collaboration, which can lead to further innovation in the field of cybersecurity. The platform will enable organizations to share their experiences and challenges, and this can lead to the development of new and improved cybersecurity solutions.

The proposed platform will improve cybersecurity capabilities across the EU, notably for SMEs and public organizations by providing the essential information needed to identify and block malicious traffic before it reaches their networks. It can help organizations to detect and respond to cyberattacks more quickly based on real-time threat intelligence, allowing them to identify when their systems are being targeted by attackers and take appropriate action. This can include shutting down compromised systems, isolating infected machines, and implementing incident response procedures. The service will provide data for various cybersecurity protection services or investigation tools. It may also support incident response tools that fit into general operational and management cybersecurity strategies. Thanks to the MIPS representation format, the ThreatChase platform can be used to support Coordinated Vulnerability Disclosure. As any open-source software may take advantage of the data provided by the service, its capacity of cybersecurity tools and applications to detect and analyse security incidents will be improved.

A part of the project effort will be devoted to raising awareness of the service and its capacity to improve cybersecurity across the EU. Our ultimate goal is to make the ThreatChase platform a pivot place for supporting interaction between suppliers and adopters of cybersecurity solutions.

Partners

The ThreatChase Consortium consists of 4 participants from 3 EU member states (France, Poland, and Portugal):

KOR Labs SAS

KOR Labs SAS is a university spin-off dedicated to combating cyber threats, helping the Internet community collectively increase barriers to abuse as well as companies to increase the effectiveness of their network protection and countermeasures. The team comprises security researchers with a strong academic track record and world-class expertise in cyber security and Internet technologies. The main focus of KOR Labs activities is on domain name and Domain Name System (DNS) abuse. The founders of KOR Labs are Prof. Maciej Korczyński and Prof. Andrzej Duda.

ORANGE Polska SA

ORANGE Polska SA is a leader on the Polish market of fixed telephony, Internet, and data transmission. As the only operator, it offers comprehensive telecommunications solutions available throughout the country. Cybersecurity is one of key areas continuously developed in OPL. OPL CERT has already been operating for 25 years and it provides cybersecurity services to a wide range of customers protecting them against identified modern cyberthreats (DDoS, malware, phishing, applications vulnerabilities).

PDMFC LDA

PDMFC LDA is an SME from Portugal, with a strong focus on the area of Information Security, having developed software that help dozens of large customers (including Governments) to detect fraud, money laundering, tax evasion, among many other things. It provides the Identity and Access Management framework (called SPA) that includes Real Time Risk Assessment, Segregation of Duties, Cryptographic fingerprinting of operations. PDMFC has experience in the Information Security-related area, manages several CSIRTs at national level (consultancy work), and develop Identity and Access Management Intelligence tools.

NovaForensic

NovaForensic (legal name: Stability Bubble LDA) is a start-up from Portugal, founded by a former Law enforcement Agency crime investigator with a focus on the development of tools for Digital Forensics. Its tools are used by all LEA in Portugal to obtain relevant digital evidence for the crime (cyber-incident) under investigation. The NovaForensic objective is the evolution of digital forensic expertise through the adoption of the Forensic as a Service (FaaS) paradigm, which consists of the provision of forensic software in cloud computing enhanced by an artificial intelligence federated learning system.

Open Platform for Protection against Phishing